#1415 nntp traffic from foreign host

[Thomas]

Hi. My avast a/v program has flagged nntp traffic, that appears to be an ssh tunnel someone attached to my privoxy client! help please! windows 7. I am using windows firewall

[Fabian Keil]

If there really is are tunnels going through Privoxy, you should be able to find them in the logfile after enabling logging. Did you try that already?
http://www.privoxy.org/user-manual/contact.html#CONTACT-BUGS

To tunnel ssh through Privoxy you'd need either access to its listening port which by default is available on the localhost only, or have write access to Privoxy's memory in which case the system would already be compromised. For the ssh tunnel to end on your system you'd also need ssh-capable software on your system, and I don't think Windows 7 has got any.

An "ssh tunnel" should be encrypted, so detecting that it's used for nntp traffic isn't exactly trivial. I don't think the average a/v snake oil can do that and my first guess would be that your "a/v program" is reporting nonsense.

You could try shutting down Privoxy to see if the "a/v program" is still detecting things.

[Thomas]

Hi, here is part of my avast log, I am still crawling through a bunch of documentation on ssh exploits...

3/28/2011 6:22:29 PM 000005E8: OS Windows Vista Workstation (Service Pack 1)
3/28/2011 6:22:29 PM 000005E8: PopListen 127.0.0.1 12110
3/28/2011 6:22:29 PM 000005E8: SmtpListen 127.0.0.1 12025
3/28/2011 6:22:29 PM 000005E8: ImapListen 127.0.0.1 12143
3/28/2011 6:22:29 PM 000005E8: NntpListen 127.0.0.1 12119
3/28/2011 6:22:29 PM 000005E8: PopListenSSL 127.0.0.1 12995
3/28/2011 6:22:29 PM 000005E8: SmtpListenSSL 127.0.0.1 12465
3/28/2011 6:22:29 PM 000005E8: ImapListenSSL 127.0.0.1 12993
3/28/2011 6:22:29 PM 000005E8: NntpListenSSL 127.0.0.1 12563
3/28/2011 6:22:29 PM 000005E8: Accounts telesp-NNTP:telesp.net.br(NNTP)-SSL(563)
3/28/2011 6:22:29 PM 000005E8: AutoRedirect 1
3/28/2011 6:22:29 PM 000005E8: IgnoreLocalhost 1
3/28/2011 6:22:29 PM 000005E8: POP Start: 1
3/28/2011 6:22:29 PM 000005E8: POP RedirectPort: 110
3/28/2011 6:22:29 PM 000005E8: SMTP Start: 1
3/28/2011 6:22:29 PM 000005E8: SMTP RedirectPort: 25,587
3/28/2011 6:22:29 PM 000005E8: IMAP Start: 1
3/28/2011 6:22:29 PM 000005E8: IMAP RedirectPort: 143
3/28/2011 6:22:29 PM 000005E8: NNTP Start: 1
3/28/2011 6:22:29 PM 000005E8: NNTP RedirectPort: 119
3/28/2011 6:22:29 PM 000005E8: POPs Start: 1
3/28/2011 6:22:29 PM 000005E8: POPs RedirectPort: 995
3/28/2011 6:22:29 PM 000005E8: SMTPs Start: 1
3/28/2011 6:22:29 PM 000005E8: SMTPs RedirectPort: 465
3/28/2011 6:22:29 PM 000005E8: IMAPs Start: 1
3/28/2011 6:22:29 PM 000005E8: IMAPs RedirectPort: 993
3/28/2011 6:22:29 PM 000005E8: NNTPs Start: 1
3/28/2011 6:22:29 PM 000005E8: NNTPs RedirectPort: 563

...

3/28/2011 6:32:35 PM 00000E08: getnameinfo error 11001
3/28/2011 6:32:50 PM 0000050C: Cannot connect to NNTP server 78.69.236.44 (78.69.236.44:563), connect error 10060
3/28/2011 6:32:51 PM 00000F3C: Cannot connect to NNTP server 99.1.97.164 (99.1.97.164:563), connect error 10060
3/28/2011 6:32:51 PM 00000DE0: Cannot connect to NNTP server 94.75.126.128 (94.75.126.128:563), connect error 10060
3/28/2011 6:32:52 PM 00000180: Cannot connect to NNTP server 187.14.184.249 (187.14.184.249:563), connect error 10060
3/28/2011 6:32:57 PM 00000318: Cannot connect to NNTP server 178.156.71.97 (178.156.71.97:563), connect error 10060
3/28/2011 6:33:18 PM 00000974: Cannot connect to NNTP server 178.156.71.97 (178.156.71.97:563), connect error 10060
3/28/2011 6:33:44 PM 000006AC: getnameinfo error 11001
3/29/2011 7:25:49 AM 000005E8: Accounts telesp-NNTP:telesp.net.br(NNTP)-SSL(563)

[Thomas]

many entries like this in wireshark:

555 7.742760 174.49.182.253 76.103.244.6 TCP 20555 > nntps [SYN] Seq=0 Win=8192 Len=0 MSS=1460
149 1.741152 174.49.182.253 76.103.244.6 TCP 20555 > nntps [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2
556 7.742800 174.49.182.253 24.60.126.253 TCP 20556 > nntps [SYN] Seq=0 Win=8192 Len=0 MSS=1460
150 1.741190 174.49.182.253 24.60.126.253 TCP 20556 > nntps [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2

I don't even have a news client

[Thomas]

avast! has detected a secure connection from your mail program (process privoxy.exe) to the NNTP server 201.37.217.175 (virtua.com.br)

virtua.com.br appears to be a home user broadband provider in Brazil.

3789 80.677949 201.37.217.175 174.49.182.253 TCP nntps > 24357 [ACK] Seq=1 Ack=2 Win=65192 Len=0
3790 80.683457 201.37.217.175 174.49.182.253 TCP 57995 > 24512 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=0
3799 81.051139 201.37.217.175 174.49.182.253 TCP 57995 > 24512 [ACK] Seq=1 Ack=64 Win=65472 Len=0

I'm logging debug 1 in privoxy, but I didn't have it started at this debug level when the alert came in from avast

[Thomas]

privoxy logs: avast flagged 24.160.187.100
This is a limited set of debug 1 log.
563 is nntps (ssh)
443 ssl
what is going on here, these IP's are apparently home users

Mar 30 23:03:33.288 00001108 Request: 216.186.249.240:563/
Mar 30 23:03:33.288 000002e8 Request: 70.190.39.118:563/
Mar 30 23:03:33.444 000007e4 Request: 70.190.135.211:443/
Mar 30 23:03:33.459 000012ac Request: 65.189.50.115:563/
Mar 30 23:03:33.506 000013e8 Request: 68.102.177.213:563/
Mar 30 23:03:33.506 000012b4 Request: 99.127.216.167:563/
Mar 30 23:03:33.522 00001318 Request: 75.91.5.165:443/
Mar 30 23:03:33.522 000007fc Request: 154.5.45.251:563/
Mar 30 23:03:33.553 00000cf8 Request: 72.24.229.155:563/
Mar 30 23:03:33.569 0000123c Request: 74.58.165.14:563/
Mar 30 23:03:33.569 00000dc0 Request: 76.182.181.78:563/
Mar 30 23:03:33.975 00001394 Request: 72.49.22.112:443/
Mar 30 23:03:33.975 00001300 Request: 63.123.150.2:443/
Mar 30 23:03:37.084 00000dbc Request: 174.134.197.165:563/
Mar 30 23:03:37.319 000011b0 Request: 66.87.2.147:563/
Mar 30 23:03:37.522 00000a74 Request: 161.109.224.62:563/
Mar 30 23:03:52.522 00000260 Request: 66.45.159.29:563/
Mar 30 23:03:52.678 00000a90 Request: 72.161.28.212:563/
Mar 30 23:03:54.459 0000110c Request: 216.186.249.240:443/
Mar 30 23:03:54.459 0000126c Request: 70.190.39.118:443/
Mar 30 23:03:54.678 00001060 Request: 65.189.50.115:443/
Mar 30 23:03:54.741 00001098 Request: 68.102.177.213:443/
Mar 30 23:03:54.741 000010f8 Request: 154.5.45.251:443/
Mar 30 23:03:54.741 000011bc Request: 99.127.216.167:443/
Mar 30 23:03:54.897 00000458 Request: 74.58.165.14:443/
Mar 30 23:03:54.913 0000108c Request: 72.24.229.155:443/
Mar 30 23:03:54.913 00000f1c Request: 76.182.181.78:443/
Mar 30 23:03:58.163 00000270 Request: 174.134.197.165:443/
Mar 30 23:03:58.413 00000818 Request: 66.87.2.147:443/
Mar 30 23:03:58.600 000004ec Request: 161.109.224.62:443/
Mar 30 23:04:06.688 0000117c Request: 177.9.193.155:57049/
Mar 30 23:04:13.768 00000920 Request: 72.161.28.212:443/
Mar 30 23:04:13.827 00000bc8 Request: 66.45.159.29:563/
Mar 30 23:04:34.911 000013c0 Request: 66.45.159.29:443/
Mar 30 23:04:46.777 00000cc8 Request: 24.160.187.100:56337/
Mar 30 23:04:47.183 00001154 Request: 24.160.187.100:56337/
Mar 30 23:04:48.027 000002cc Request: 24.160.187.100:563/
Mar 30 23:04:48.417 00000bac Request: 24.160.187.100:563/
Mar 30 23:04:48.792 0000051c Request: 24.160.187.100:443/
Mar 30 23:04:49.199 00000a08 Request: 24.160.187.100:443/

[Fabian Keil]

If you'd increase Privoxy's debug level you should see where the requests are coming from and what the content is.

Note that NNTPS is NNTP over TLS/SSL, not NNTP over SSH.

Also your wireshark log only seems to show that the NNTPS default port is used, not that there's actual NNTPS traffic.

I have no idea how to interpret the Avast log in a meaningful way. The entry:
3/28/2011 6:32:57 PM 00000318: Cannot connect to NNTP server 178.156.71.97 (178.156.71.97:563), connect error 10060
seems to indicate that Avast itself tried to connect to the server ...

[Thomas]

Hi. This kind of got sidelined for a minute. Avast flagged process prixovy.exe as the 'email client' or how it interpreted the connection for nntp. I am going to dive back into this one this week, I didn't really want to block 563. Not sure how flexible the free avast product will be in terms of 'linking' it with privoxy as a client process,